Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

allowing outbound connections in pix firewall5xxx

Hi can you tell me in simple terms how to allow certain ip addresses from inside my network to be configured for outbound connections

4 REPLIES

Re: allowing outbound connections in pix firewall5xxx

Usually if the hosts are in the Inside interface you just need to do a NAT or PAT (Network of Port Address Translation).

A host on a higher security lever can allways access all other lower security level if there is not an access-list that block this explicitly.

inside = Security level 100

dmzX = 99-1

outside = 0

See:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_command_reference_chapter09186a00801727ab.html#wp1032129

Establish connectivity:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html

Establishing Outbound Connectivity with NAT and PAT

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a0080172786.html

Example:

nat (inside) 1 10.1.0.0 255.255.255.0

nat (inside) 2 10.1.1.1 255.255.255.255

nat (inside) 2 10.1.1.2 255.255.255.255

global (outside) 1 209.165.200.221

global (outside) 2 209.165.200.225

sincerely

Patrick

New Member

Re: allowing outbound connections in pix firewall5xxx

Hi Patrick so if i have a guy who needs to test some software from inside our office which is connected to an external ip address i just need to do

nat (inside) 195.26.26.150 255.255.255.0 ? or

global (outside) 195.26.26.150 255.255.255.0

Thanks

Gold

Re: allowing outbound connections in pix firewall5xxx

assuming you've got the basic inbound/outbound connectivity setup with the pix, then you only need to create an outbound acl and apply it the the pix inside interface.

e.g.

access-list 100 permit ip host 192.168.1.1 any

access-list 100 permit tcp host 192.168.1.2 any eq 80

access-group 100 in interface inside

Re: allowing outbound connections in pix firewall5xxx

The syntax like that:

nat (inside) 1 Inside-Private-IP 255.255.255.255

global (outside) 1 Outside-Public-IP 255.255.255.255

As Jackko mentioned if you have an inside interface access-list then add the lines in the access-list. But this will block all other hosts to connect outside.

access-list 100 permit ip host 192.168.1.1 any

access-list 100 permit tcp host 192.168.1.2 any eq 80

access-group 100 in interface inside

Another way might be to Port Address Translate all hosts to the outside with the interface IP of the outside interface and then limit the allowed hosts with the inside access list.

Example:

# PAT all inside hosts to the global outside IP

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

# Add an access-list to the inside interface to allow outside connection for a few hosts for tcp port 80 (http).

access-list inside permit tcp host Inside-host-IP1 any eq 80

access-list inside permit tcp host Inside-host-IP2 any eq 80

access-group inside in interface inside

# Reset then the Translation Table, this will reset all connections !

clear xlate

sincerely

Patrick

98
Views
0
Helpful
4
Replies